Why even low-value data requires a strong security response
Stolen payment card data is a bad investment. There's just far more stolen payment credentials available than the "market" will bear.
Of much more value these days is personal identifiable information (PII) that enables identity theft, account takeover and other fraudulent payment activity. A company's intellectual property, which can be stolen and held for ransom, is also highly appealing to criminals.
"Payment card data is cheaper on the underground markets compared to other data, and there is so much of it, it is just devalued," said Karl Sigler, threat intelligence manager at Trustwave's Spider Labs. "Fraud detection mechanisms have gotten so much better, that a lot of these stolen card numbers have a very short shelf life."
Criminals value payment card data per capita at only 53 cents to $1 on the black market. By comparison, PII is far more alluring, but scammers aren't valuing any of this data as high as the companies producing and storing it. Yet, most companies and organizations continue to struggle with how to assess the security risk of that data and establish policies to protect it, according to new research from Trustwave.
Chicago-based Trustwave conducted a global survey of 500 information technology decision makers worldwide to examine attitudes toward the value of confidential data, including payment card data.
In using 10 criteria to measure "data risk vigilance," or the efforts to protect data, the research found Canadian firms were among the most vigilant, and Australian businesses the least vigilant. U.S. companies were right behind Canada as most vigilant.
Most countries place the highest security priority on PII data, with intellectual property second, payment card data third and email data fourth. Not all organizations in the survey dealt with payment card data directly, and Japan gave payment card data its lowest priority in part because of its own JCB brand, and a language much harder for criminals to penetrate, the report said.
As far as the value of the data they are protecting, U.S. professionals value their PII data twice as much as their U.K. counterparts. The average per capita value of PII in the U.S. is $1,820 compared to $843 in the U.K., the report noted.
"For criminals, this data represents nothing more than a paycheck, but for organizations there are liability issues and reputation issues that can occur with any breach," Sigler said. "It forces those organizations to place a higher value on the data."
Thus, cybercriminals place a per capita value of $39 on an individual's PII, while IT professionals value it at $1,198, insurers value it at $3,211 and regulators are at the top of the value scale at $8,118.
But per capita values don't always translate to stronger risk assessment and security policies for all organizations or corporations involved.
"Even though we are seeing organizations placing higher value on data than criminals actually are, we are not seeing all of those organizations applying security controls to protect that data properly," Sigler said.
Some organizations valuing data at a much higher level than the criminals trying to steal that data "still seem to be lost in how to properly lock that data down," Sigler said. "We are still seeing that best practices are not being applied, and those simple things like risk assessment are not being performed properly."
Risk assessment is typically the foundation of any good security process, Sigler added, because "it doesn't make sense to buy security products or even put in a password policy if you don't know what you are trying to secure or what is at risk."
The first task for risk management is an inventory of what a company network includes, from software to operating systems and where PII or payment card data is being stored, and how intellectual property is protected.
A value assessment of that data is next, Sigler said. It's a process that many organizations aren't quite sure how to address, he added.
"When they do it themselves, they will just list all of the servers and just go from the top to the bottom of the list," Sigler said. "It's an easy way to get bogged down in details you don't need. And that's how to get overwhelmed."
It is a more effective process to place a value on systems when doing inventory, and begin looking at the potential security gaps in those data sets first, Sigler added.
The process of valuing data and assessing risk changes by industry sector, the report said.
Health care and hospitality sectors give PII to priority, while industrial and IT/communications companies rank intellectual property as the most important.
Patient data is the most rigorously risk-assessed data, the report noted.
Nearly 80% of organizations seeing patients as their prime data subject said they had carried out a comprehensive risk assessment, a percentage higher than any other data subject.
That number rose to 90% in the U.K., where health care is largely controlled by the government through the National Health Service. For those dealing with HIPAA-related data in the U.S., that number rose to 85%.